.Dd Jan 24, 2024
.Dt RZ_GG 1
.Sh NAME
.Nm rz-gg
.Nd rizin frontend for RzEgg, compile programs into tiny binaries for different architectures.
.Sh SYNOPSIS
.Nm rz-gg
.Op Fl FOLsrxvhz
.Op Fl a Ar arch
.Op Fl b Ar bits
.Op Fl k Ar os
.Op Fl f Ar format
.Op Fl o Ar file
.Op Fl i Ar shellcode
.Op Fl I Ar path
.Op Fl e Ar encoder
.Op Fl B Ar hexpairs
.Op Fl c Ar k=v
.Op Fl C Ar file
.Op Fl n Ar dword
.Op Fl N Ar dword
.Op Fl d Ar off:dword
.Op Fl D Ar off:qword
.Op Fl w Ar off:hexpairs
.Op Fl p Ar padding
.Op Fl P Ar size
.Op Fl q Ar fragment
.Ar file|f.asm|-
.Sh DESCRIPTION
This command is part of the Rizin project.
.Pp
Programs generated by RzEgg are relocatable and can be injected into a running process or on-disk binary file.
.Pp
Since the rz-gg-cc merge, rz-gg can now generate shellcodes from C code. The final code can be linked with rz-bin, and it is relocatable, allowing injection into any remote process. This feature is conceptually based on shellforge4, but only supports Linux/OSX x86-32/64 platforms.
.Sh DIRECTIVES
.Pp
The rrz (rz-gg) configuration file accepts the following directives, described as key=value entries and comments defined as lines starting with '#'.
.Bl -tag -width Fl
.It Fl a Ar arch
Select architecture (x86, mips, arm)
.It Fl b Ar bits
Set register size (32, 64, ..)
.It Fl B Ar hexpairs
Append hexpair bytes
.It Fl c Ar k=v
Set configure option for the shellcode encoder. The argument must be key=value
.It Fl C Ar file
Append contents of file
.It Fl d Ar off:dword
Patch dword (4 bytes) at given offset
.It Fl D Ar off:qword
Patch qword (8 bytes) at given offset
.It Fl e Ar encoder
Use specific encoder. See -L
.It Fl f Ar format
Output format (raw, c, pe, elf, mach0, python, javascript)
.It Fl F
Output native format (osx=mach0, linux=elf, ..)
.It Fl h
Show usage help message
.It Fl i Ar shellcode
Include shellcode plugin, use options. See -L
.It Fl I Ar path
Add include path
.It Fl k Ar kernel
Operating system's kernel (linux, bsd, osx, w32)
.It Fl L
List all plugins (shellcodes and encoders)
.It Fl n Ar dword
Append 32bit number (4 bytes)
.It Fl N Ar qword
Append 64bit number (8 bytes)
.It Fl o Ar file
Output file to write result of compilation
.It Fl O
Use default output file (filename without extension or a.out)
.It Fl p Ar padding
Add padding after compilation (padding=n10s32)
                 ntas : begin nop, trap, 'a', sequence
                 NTAS : same as above, but at the end
.It Fl P Ar size
Prepend debruijn sequence of given length
.It Fl q Ar fragment
Debruijn pattern offset
.It Fl r
Show raw bytes instead of hexpairs
.It Fl s
Show assembler
.It Fl S Ar string
Append a string
.It Fl v
Show version information
.It Fl w Ar off:hex
Patch hexpairs at given offset
.It Fl x
Execute
.It Fl X
Execute rop chain, using the stack provided
.It Fl z
Output in C string syntax
.El
.Sh EXAMPLE
.Pp
  $ cat hi.r
  /* hello world in RzEgg */
  write@syscall(4); //x64 write@syscall(1);
  exit@syscall(1); //x64 exit@syscall(60);
.Pp
  main@global(128) {
    .var0 = "hi!\\n";
    write(1,.var0, 4);
    exit(0);
  }
  $ rz-gg \-O \-F hi.r
  $ ./hi
  hi!
.Pp
  # With C file :
  $ cat hi.c
  main() {
    write(1, "Hello\\n", 6);
    exit(0);
  }
  $ rz-gg -O -F hi.c
.Pp
  $ ./hi
  Hello
.Pp
  # Linked into a tiny binary. This is 165 bytes
  $ wc \-c < hi
    165
.Pp
  # The compiled shellcode has zeroes
  $ rz-gg hi.c | tail -1
  eb0748656c6c6f0a00bf01000000488d35edffffffba06000000b8010
  000000f0531ffb83c0000000f0531c0c3
.Pp
  # Use a xor encoder with key 64 to bypass
  $ rz-gg \-e xor \-c key=64 \-B $(rz-gg hi.c | tail -1)
  6a2d596a405be8ffffffffc15e4883c60d301e48ffc6e2f9ab4708252
  c2c2f4a40ff4140404008cd75adbfbfbffa46404040f8414040404f45
  71bff87c4040404f45718083
.Sh SEE ALSO
.Pp
.Xr rizin(1) ,
.Xr rz-hash(1) ,
.Xr rz-find(1) ,
.Xr rz-bin(1) ,
.Xr rz-find(1) ,
.Xr rz-diff(1) ,
.Xr rz-asm(1) ,
.Sh AUTHORS
.Pp
pancake <pancake@nopcode.org>
.Pp
byteninjaa0
